https://community.cisco.com/t5/network-access-control/ise1-3-wireless-configuration/m-p/2700977#M55403 <P>Hello&nbsp;Marinos/Ashish,</P><P>&nbsp;</P><P>Thanks for your advise,</P><P>&nbsp;</P><P>I understood and configured a single VLAN for domain users and they are able to connect if system is in domain, Guest user will connect to another ssid.&nbsp;Client requirement is only for authentication because of having base license only. But I have some few question:</P><P>&nbsp;</P><P>1. I have configured one wireless authorization policy for domain users but users are authenticating another default&nbsp;<STRONG>Basic_Authenticated_Access </STRONG>policy in which Permission is permit access. And users are getting the same VLAN IP address&nbsp;which I have mapped in wlc against&nbsp;ssid. &nbsp;There is no VLAN tagging happening but only domain user's are authenticating. So it means only one VLAN required for authentication only or do we require separate&nbsp;preauth vlan.</P><P>2. Do we require to configure dynamic ACL in WLC, if yes then what would it be.</P><P>3. Can we restrict only one domain user id will get connected at a time.</P><P>&nbsp;</P><P>Regards:</P><P>Kamlesh</P><P>&nbsp;</P> Wed, 27 May 2015 07:34:51 GMT kamlenegi 2015-05-27T07:34:51Z https://community.cisco.com/t5/network-access-control/ise1-3-wireless-configuration/m-p/2700974#M55400 <P>Hi All,</P><P>&nbsp;</P><P>We are implementing ISE 1.3 for wireless users, please advise where to map quarantine vlan when user first connect to ssid. If user is domain then get the actual vlan ip address if not then get guest vlan IP.</P><P>&nbsp;</P><P>&nbsp;</P><P>Thanks</P><P>Kamlesh</P> Mon, 11 Mar 2019 05:45:20 GMT https://community.cisco.com/t5/network-access-control/ise1-3-wireless-configuration/m-p/2700974#M55400 kamlenegi 2019-03-11T05:45:20Z https://community.cisco.com/t5/network-access-control/ise1-3-wireless-configuration/m-p/2700975#M55401 <P>Hello Kamlesh,</P><P>In a wireless environment, authentication must be done before anything else (using dot1x). So you don't need a "quarantine" vlan. If user is authenticated (using AD credentials or certificate) then he has access to the "actual" vlan.</P><P>You cannot use a fallback vlan if authentication fails.</P><P>Please explain me what you have in your mind.</P><P>Regards.</P><P>Alexandros.</P> Tue, 26 May 2015 13:34:41 GMT https://community.cisco.com/t5/network-access-control/ise1-3-wireless-configuration/m-p/2700975#M55401 Alexandros Marinos 2015-05-26T13:34:41Z https://community.cisco.com/t5/network-access-control/ise1-3-wireless-configuration/m-p/2700976#M55402 <P>Agreed.</P><P>Authentication is best option to fullfill the requirement in your case.</P><P>Generally for the Guest users we can use authentication or it can bypass the phase, May be separate SSID's will be solution for your case.</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>Regards:</P><P>Ashish Arora</P><P>&nbsp;</P> Tue, 26 May 2015 17:49:07 GMT https://community.cisco.com/t5/network-access-control/ise1-3-wireless-configuration/m-p/2700976#M55402 Ashish Arora 2015-05-26T17:49:07Z https://community.cisco.com/t5/network-access-control/ise1-3-wireless-configuration/m-p/2700977#M55403 <P>Hello&nbsp;Marinos/Ashish,</P><P>&nbsp;</P><P>Thanks for your advise,</P><P>&nbsp;</P><P>I understood and configured a single VLAN for domain users and they are able to connect if system is in domain, Guest user will connect to another ssid.&nbsp;Client requirement is only for authentication because of having base license only. But I have some few question:</P><P>&nbsp;</P><P>1. I have configured one wireless authorization policy for domain users but users are authenticating another default&nbsp;<STRONG>Basic_Authenticated_Access </STRONG>policy in which Permission is permit access. And users are getting the same VLAN IP address&nbsp;which I have mapped in wlc against&nbsp;ssid. &nbsp;There is no VLAN tagging happening but only domain user's are authenticating. So it means only one VLAN required for authentication only or do we require separate&nbsp;preauth vlan.</P><P>2. Do we require to configure dynamic ACL in WLC, if yes then what would it be.</P><P>3. Can we restrict only one domain user id will get connected at a time.</P><P>&nbsp;</P><P>Regards:</P><P>Kamlesh</P><P>&nbsp;</P> Wed, 27 May 2015 07:34:51 GMT https://community.cisco.com/t5/network-access-control/ise1-3-wireless-configuration/m-p/2700977#M55403 kamlenegi 2015-05-27T07:34:51Z